Pages

Wednesday, March 20, 2013

ICS-CERT Publishes 4 Advisories

Today ICS-CERT published three new advisories for
vulnerabilities in systems from Siemens and Schweitzer Engineering Laboratories
(SEL) and updated a very recently published advisory from Schneider Electric.

Schneider Update

This has got to be one of the fastest advisory updates,
on Monday ICS-CERT published
the advisory and today the published the update. The update provides a
reference to the update to the original alert that reported Schneider’s claim
that two of the four reported vulnerabilities were not actually
vulnerabilities. It goes on to provide some more detailed explanation of
Schneider’s reasoning.

This update also addresses an issue I raised in my blog
post, the failure of Schneider to produce a patch or update to correct the two
acknowledged vulnerabilities, relying instead on recommendations (detailed
recommendations to be sure) for the use of a firewall to prevent unauthorized
access to the vulnerabilities.

The updated advisory explains that Schneider “does not plan
to issue patches because of their complex nature. Schneider Electric says that
fixing these vulnerabilities would require significant changes to existing
protocols and make any customer solutions currently using these features
incompatible” (pg 2).

Now I’m not a software engineer, so I can’t comment on the complexity
of fixing the problem, but I know that I’m not alone in thinking that this is a
short-sighted response from Schneider. A commenter today on one of the LinkedIn
groups where I
started a discussion about yesterday’s blog post said:

“Looks like we will be looking at
adding Tofino firewalls to their systems. Long term we will be looking at
migrating away from hardware with known issues as it is only a matter of time
before something gets around the firewall.”

SEL Advisory

This advisory
describes an improper authorization vulnerability in the SEL AcSELerator QuickSet software reported by Michael Toecker
of DigitalBond. The vulnerability was initially disclosed to the vendor, but it
was then reported at the S4 Conference in January. Since it was a coordinated
disclosure, ICS-CERT did not issue an alert on the vulnerability when it was
publicly disclosed in January. (NOTE: See Michael’s DigitalBond blog
post about vendor responses to disclosures which mentions this vulnerability.)

The advisory reports that a highly skilled attacker could
use this vulnerability to replace executables within the SEL Program Files
directory. The attacker would require access to the computer as an authorized
user to exploit this vulnerability.

SEL has produced a new
version of the affected software that only allows an authenticated
Administrator to change executables. The advisory does not mention if they or
Michael have verified the efficacy of the new version to correct this
vulnerability. Does that mean that there has been no verification or that the
drafter of this advisory simply failed to mention the fact? Please, let’s have
some consistency here.

Siemens WinCC
Advisory

This advisory
describes multiple vulnerabilities reported by Sergey Gordeychik of Positive
Technologies and Siemens ProductCERT in a coordinated disclosure. The
vulnerabilities include:

ICS-CERT reports that a low to medium skilled attacker could
remotely exploit these vulnerabilities to execute a DoS attack, gain read
access to files or remotely execute arbitrary code. Siemens has produced an
updated version of the software that is available through customer support.

ICS-CERT reports that a low to medium skilled attacker using
a social engineering attack or having valid user credentials could exploit
these vulnerabilities to execute a Dos attack, gain access to system files, or
execute arbitrary code. Siemens has produced an updated version of the software,
but recommends disabling the web server as a work-around for the web based
vulnerabilities until the new software can be installed.

About Me

I spent 15 years in the US Army as an Infantry NCO. After getting out of the Army I started working in the chemical industry, getting my BSc Chemistry degree while working as a technician. I spent 12 years working as a process chemist in a specialty chemical company. Most recently I worked as a QA/R&D Manager in a specialty chemical manufacturing facility. Currently I am working as a freelance writer.